Chinese hackers target smart cards to grab US defense data

In the latest blow to U.S. cybersecurity, hackers based in China have managed to infiltrate the supposedly secure smart card system used by U.S. Government employees, according to a report by AlienVault.

The security firm says it has confirmed dozens of attacks originating from servers in China, by an adapted strain of the malware Sykipot. It is reportedly capable of capturing the PIN codes used by the government smart cards, which can then be used to access secure information. "We recently discovered a variant of Sykipot with some new, interesting features that allow it to effectively hijack DOD and Windows smart cards. This variant, which appears to have been compiled in March 2011, has been seen in dozens of attack samples from the past year," AlienVault said in a report of their findings on their website.

Government agencies generally use the smart card system as an extra layer of defense, as user passwords are generally quite easy to hack. It worked as well, until the Sykipot malware raised its ugly head and compromised what essentially is the government’s last physical line of defense of preventing unauthorized viewing of sensitive material contained on computers.

"Like we have shown with previous Sykipot attacks, the attackers use a spear phishing campaign to get their targets to open a PDF attachment which then deposits the Sykipot malware onto their machine," AlienVault said. "Then, unlike previous strains, the malware uses a keylogger to steal PINs for the cards. When a card is inserted into the reader, the malware then acts as the authenticated user and can access sensitive information. The malware is controlled by the attackers from the command & control center."

Sykipot has been around since 2007, is considered a high priority threat and until recently had been taking advantage of vulnerabilities in software such as Internet Explorer and Adobe Reader. Microsoft’s Excel spreadsheet has also been targeted by exploits based on the malware.

According to AlienVault though, this is the first time Sykipot has been used to specifically target smart cards. This particular new strain of the malware exclusively targets ActivIdentity, using the PKI (public key infrastructure) authentication method employed by the firm's smart cards, which are known for their compliance with U.S. government specifications.

It is not yet known what information has been compromised or taken by the hackers but since ActivIdentity was the intended target it is very clear the attacks were aimed at U.S. government and defense departments.